DoT with DNSSEC and OpenVPN Clint DNS Strinct behaviour

[Deleted member 62525]

I thought I post this topic since we had few DNS changes and new functionality added to the firmware 384.12 and 384.13.

Below is the configuration example (my own setup on RT-86U).
1. WAN DNS section DNSSEC is enabled
2. WAN DNS DoT is enabled in Strict mode using Quad1 and Quad2 DNS servers.
3. OpenVPN Client DNS is set to Strict mode. In addition vpn configration section has entry dhcp-option DNS <vpn dns IP>
4. VPN Policy has all clients using VPN except the smartTV using WAN.

With above configuration for both WAN and VPN Client - 2 separate DNS sets, I have noticed that when I perform DNS test leak on my VPN clients they all use WAN DoT DNS and not VPN DNS.

Switching VPN DNS to Exclusive make VPN clients to use VPN DNS, but at this point Diversion cannot work.

In previous versions of the firmware VPN DNS Strict mode worked without issues even when I used Stubby on the command line to have DoT working. So, my question is if this new behavior is by design/intended or its a bug? It well could by my config in some way is interfering with the setup. Can anyone confirm this?
I tried resetting the router, cleared NVRAM, re-do the setup but still getting the same results.


My objective is to have all VPN clients use VPN DNS and Diversion working, while non-vpn clients use WAN DoT DNS servers.

 

[skeal]

I thought I post this topic since we had few DNS changes and new functionality added to the firmware 384.12 and 384.13.

Below is the configuration example (my own setup on RT-86U).
1. WAN DNS section DNSSEC is enabled
2. WAN DNS DoT is enabled in Strict mode using Quad1 and Quad2 DNS servers.
3. OpenVPN Client DNS is set to Strict mode. In addition vpn configration section has entry dhcp-option DNS <vpn dns IP>
4. VPN Policy has all clients using VPN except the smartTV using WAN.

With above configuration for both WAN and VPN Client - 2 separate DNS sets, I have noticed that when I perform DNS test leak on my VPN clients they all use WAN DoT DNS and not VPN DNS.

Switching VPN DNS to Exclusive make VPN clients to use VPN DNS, but at this point Diversion cannot work.

In previous versions of the firmware VPN DNS Strict mode worked without issues even when I used Stubby on the command line to have DoT working. So, my question is if this new behavior is by design/intended or its a bug? It well could by my config in some way is interfering with the setup. Can anyone confirm this?
I tried resetting the router, cleared NVRAM, re-do the setup but still getting the same results.


My objective is to have all VPN clients use VPN DNS and Diversion working, while non-vpn clients use WAN DoT DNS servers.

Any device not configured to use the router as DNS will not have Diversion protection. For instance if you are set to use 192.168.1.X as DNS then Diversion should work. Anything else like VPN DNS or any other DNS will not work. You were just lucky that in strict mode the router was used successfully first.

 

[Deleted member 62525]

Any device not configured to use the router as DNS will not have Diversion protection. For instance if you are set to use 192.168.1.X as DNS then Diversion should work. Anything else like VPN DNS or any other DNS will not work. You were just lucky that in strict mode the router was used successfully first.

I don’t understand what you mean by your last statement. In VPN dns set to strict mode the VPN clients were forced to use VPN dns. That was true in older versions like 384.9. Diversion was working too since the router was using dnsmasq. Do you think it was by chance that it worked ?

 

[skeal]

I don’t understand what you mean by your last statement. In VPN dns set to strict mode the VPN clients were forced to use VPN dns. That was true in older versions like 384.9. Diversion was working too since the router was using dnsmasq. Do you think it was by chance that it worked ?

To use VPN DNS only choose "Accept DNS Configuration Exclusive" on the VPN client page. Any device set to use the VPN DNS will not be covered by Diversion add filtering. Diversion only works when the router's address is the DNS for the device. In your case you are instructing the VPN Client to only use the DNS provided by the VPN provider, thus no Diversion filtering for devices in the tunnel. DNS Filtering under Lan, can help if you need specific device DNS resolution. Turn it on and choose Router for Global Filter. Then you can add a device to the filter and set a DNS address specific to that device. This allows you to run most of your devices through a tunnel with Diversion working (with Accept DNS Configuration set to Disabled), while separating out devices that need a specific DNS address, inside or outside the VPN tunnel. If I were you read up on the function of DNS Filter. It is truly a great feature!

 

[skeal]

Below is the configuration example (my own setup on RT-86U).
1. WAN DNS section DNSSEC is enabled
2. WAN DNS DoT is enabled in Strict mode using Quad1 and Quad2 DNS servers.
3. OpenVPN Client DNS is set to Strict mode. In addition vpn configration section has entry dhcp-option DNS <vpn dns IP>
4. VPN Policy has all clients using VPN except the smartTV using WAN.

What I would do to accomplish what you outline above.
1. I agree
2. I agree
3. OpenVPN client DNS setting should be set to Exclusive this makes everything using the VPN use the VPN provider's DNS. (No need for additional dhcp option)
4. I agree (however so far only the smartTV has Diversion filtering at this point).
5. Set DNS Filter to on and Global to Router. Any device needing Diversion filtering needs to be defined here, to use router as its filter. Other DNS than the VPN providers (in the VPN tunnel) can be added and defined in these custom fields, set the filter to router to be filtered by Diversion. (should read up on DNS Filter first). I have mine set this way so I know it works.
6. Observe and test. Get back to me here.

Notes: You can alternatively use Accept DNS configuration to Disabled in the VPN client and use DNS Filter to point specific devices to specific DNS.

 

[Deleted member 62525]

What I would do to accomplish what you outline above.
1. I agree
2. I agree
3. OpenVPN client DNS setting should be set to Exclusive this makes everything using the VPN use the VPN provider's DNS. (No need for additional dhcp option)
4. I agree (however so far only the smartTV has Diversion filtering at this point).
5. Set DNS Filter to on and Global to Router. Any device needing Diversion filtering needs to be defined here, to use router as its filter. Other DNS than the VPN providers (in the VPN tunnel) can be added and defined in these custom fields, set the filter to router to be filtered by Diversion. (should read up on DNS Filter first). I have mine set this way so I know it works.
6. Observe and test. Get back to me here.

Notes: You can alternatively use Accept DNS configuration to Disabled in the VPN client and use DNS Filter to point specific devices to specific DNS.

I set DNSFilter to Global, then setup Custom2 DNS to pint to my VPN DNS. Used that and added my iPhone MAC->Custom2 in DNSFiler. VPN Client DNS set to Disable.
When tested Diversion is not working. This is the same effect as using VPN Client DNS set to Exclusive.